Wednesday, August 12, 2015: Maximum Shelf: Lights Out

Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath

by Ted Koppel

One night in 1945, when Ted Koppel was about five years old, his German Jewish refugee father, a member of the British Home Guard, "took me out onto the street to show me a sight I had never seen before: lighted street lamps....There was a popular song at the time: 'When the Lights Go On Again All Over the World.'... Much of Britain's civilian population had faced infinitely more harrowing circumstances than ours. What lingers, after all these years, is the sense of preparedness, of having a plan, of being ready for whatever might come."

Koppel (Off Camera) is a broadcast news icon. Among other accomplishments, he was the trusted face of Nightline for 26 years, and has won scores of major journalism awards. In Lights Out, his first book of investigative journalism, he builds a strong case that a cyber attack on the US electrical power grids is likely, potentially devastating, and that the U.S. government has failed to adequately prepare for it.

Cyber attacks may come from nations or small groups, and are deniable in ways that a nuclear attack is not, which means that attackers need not fear immediate retaliation. Koppel refers to a Federal Energy Regulatory Commission (FERC) analysis "which found that if nine of the country's most critical substations were knocked out at the same time, it could cause a blackout encompassing most of the United States." He tells how "on April 13, 2010, a bipartisan group of ten former national security, intelligence and energy officials... sent a confidential letter, not previously released, to the Chairman and Ranking Member of the House Committee on Energy and Commerce." It concluded that "The grid is extremely vulnerable to disruption by a cyber- or other attack," and that "a carefully targeted attack... would result in widespread outages for at least months to two years or more." A separate congressional commission stated that "only one in ten of us would survive a year into a nationwide blackout, the rest perishing from starvation, disease and societal breakdown."

It might be tempting to dismiss these extreme scenarios as fearmongering, if it weren't for Koppel's reliance on reams of studies and reports, and interviews with top-ranking national security experts and policy makers from all levels of government and industry, including power company officials, the military, NSA, FEMA and Homeland Security. Koppel lays out the many conflicting risk assessments within the government and the power industry, and his readers are free to judge the evidence. None of the experts thinks that sabotaging the power grid would be easy, but many seem to believe it's very likely.

However, Homeland Security has no plan to deal with the aftermath of a cyber attack on the power grid, and neither does FEMA. Koppel summarizes FEMA's attitude as, "there is no clear answer, nor is there a specific plan, and there is no plan... because they don't think it will happen."

Thanks to 1980s deregulation, as of 2015 the U.S. has about 3,000 power companies, a highly complex power grid kept in balance by a computerized system. Koppel explains simply and clearly how the system is scheduled and monitored to prevent overloads. But the power industry is largely self-regulating, and small privately owned companies often have weak security. Koppel compares this situation to Ebola infection: one tiny exposed spot may be all that is required to take the entire system down.

Industry officials point to "air gaps," physical space between networks, as a rock-solid security measure. But these gaps can be compromised whenever a worker connects a personal device to the network. And FERC tests have consistently found connections between public access, administrative and operational networks.

In addition to air gaps, some officials cite CRISP, or Cyber Risk Information Sharing Program, as an effective defense. CRISP is meant to warn companies about potentially dangerous network traffic in real time. But as of 2015 it operates in "near-real time" and shares information with only 15 out of 3,000 companies, a number that may increase to 40 or 50 by the end of 2015. Koppel emphasizes the power industry's opposition to information sharing as one of the greatest obstacles to effective cyber defense.

He also looks at the potential for both EMP (electromagnetic pulse) and physical attacks on substations and large power transformers. These transformers' age averages around 40 years, most are custom built, and most must be built overseas. Replacing one can cost up to $10 million, and take six months to two years. He examines the lack of sufficient emergency food supplies, the institutional incompetence of the Red Cross, the potential for violence and "preppers" who think they can survive a major disaster by barricading themselves with their stockpiles. He devotes three chapters to a study of the Mormons, who are required by their faith to be prepared for any disaster. They have a complete and contained system of food storage, transportation and communication, a system of total community preparation that might act as a model for the rest of the nation.

Lights Out is suffused with the anxiety that comes with trying to predict an uncertain future. Readers may be tempted to retreat from this mass of alarming facts and figures. However, Koppel offers the British WWII civil defense measures of his childhood as an example of national training that put "an organized structure in place. There was a level of civilian discipline that served the country well." No matter what disasters come our way, he believes we could only benefit from building prepared communities and a national emergency plan to hold society together until the lights come back on. --Sara Catterall

Crown,
$26,
hardcover, 9780553419962,
October 27, 2015

Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath
by
Ted Koppel

Share with friends:

Permanent Link:

Ted Koppel: Planning for Disaster

photo: Steven Biver

Ted Koppel, a 42-year veteran of ABC News, was anchor and managing editor of Nightline from 1980 to 2005. In 2012, New York University named Koppel one of the top 100 American journalists of the past hundred years. He has won every significant television award, including eight George Foster Peabody Awards, 11 Overseas Press Club Awards, 12 duPont-Columbia Awards and 42 Emmys. He has just written Lights Out (Crown, $26 hardcover, 9780553419962, October 27, 2015).

What made you write a book rather than a documentary or TV series, as in the past?

Well, I suppose if I'd still been working for Discovery, or if I'd still been working for ABC, I probably would have done a documentary, but the commercial networks do not do documentaries on serious issues anymore. I doubt very much that in the past few years I would have gotten this on any one of the networks.

So a book is your best outlet at this point.

Absolutely.

I was struck by the disagreement at every level of government and industry as to the level and nature of the risk. The politicians are listening to lobbyists instead of national security experts. What could change that situation?

One is a massive power outage that lasts for a few weeks. We tend to respond to disaster after it happens far more efficiently than we do to the prospect of a disaster before it happens. It's just a sad fact of life in a functioning democracy like ours. I'm bewildered by the fact that the TSA has, over the past almost 14 years, spent more than $100 billion. And yet, when the latest test was conducted by their parent organization, Homeland Security, in 95% of the cases where they tried to smuggle weapons or phony bombs, they got through. You've got 55,000 people who hold jobs that did not exist 14 years ago. And yet the level of success in keeping the bombs out is 5%. That's pathetic.

Homeland Security does not come off well in your book. Do you think the creation of the Department of Homeland Security has increased our security in any way?

I have met some extraordinarily fine people who work or worked at Homeland Security. But the organization is a mistake. What you've done is take 22 different federal agencies and just jam them all together. Somehow after 9/11 that seemed like a smart thing to do. It wasn't. It was a disaster. If I hadn't been writing about the threat to the grid, there's an awfully good book to be written by someone about the mistakes that we make in the wake of a disaster. And one of the biggest was the creation of Homeland Security.

It's hard to read this book and not feel a little helpless.

Honestly, I think that's one of the reasons why the federal government hasn't done more.

Because they feel helpless?

Yes! I mean, you know, that happens. It's never reassuring. But that's why I put in those two historical examples about how the British reacted in the lead-up to World War II. They got almost everything wrong. And yet, I hope the point comes across that I think the effort was not wasted. That the exercise of simply getting people disciplined to focus on the impending disaster, so that they would think about what needs to be done, so that they could be more easily mobilized once the bombing began, was worthwhile. And in this country, during the 1950s into the '60s, we were all preparing for the bomb, and it was really only by virtue of years of trying to prepare for a nuclear attack that we and our adversaries, the Soviets, came to the conclusion that: "You know something, this ain't gonna work. We've got to find something else." And what we found was a balance of terror. Now, that sounds awful! But it's been effective.

Does the recent agreement with Iran affect your perspective on them as a cyber attack threat?

Of course it does. I think it's an important prism through which to view whatever nuclear agreement we ultimately end up signing with one another. Because everyone is still focused on the enormous danger of a nuclear Iran. I happen to agree. But what no one is paying attention to is the fact that cyber warfare, in which the Iranians are very skilled, can be almost as devastating as a nuclear attack. Please underscore the "almost." I understand the difference. There wouldn't be tens of millions of dead in the immediate aftermath of a cyber attack, although, depending on how long the outage lasts, the death toll could rise. But everyone is focused on the weapons we know. We haven't begun to gauge the impact of this new weapon that we don't fully understand yet. And the enormous difference between nuclear warfare and cyber warfare is: you always know who attacked you in a nuclear attack. If the Russians launch a cyber attack, they may do it from Brooklyn. And it may be months before we can prove to our satisfaction that it actually was initiated by the Kremlin. That changes the whole equation of warfare.

It sounds as if the government is at a stalemate with all of this.

God knows the president in his own way could not have been blunter than to spell it out as he did in his State of the Union address last year [2014]. He said we can't look back and say we didn't do anything about protecting the electric power grid. I sympathize with people in government who are saying, on the one hand we need to alert the American public, and then some smart person sitting in the second row asks, "Mr. President, what are you going to tell them to do?" That's the problem.

You suggest that we need to develop emergency communities rather trying to prepare household by household.

Right. What I'm afraid of is that we will have a nation of people sitting there with their three months' supply of food and their shotgun cradled on their lap saying just come and try and get it. That's a cartoon version of how we can react to this. And that's not going to work. But I had a revelation when I was talking to the freeze-dried food people out in Salt Lake City. where they're telling me about the problem with Meals Ready to Eat, the MREs. The problem is simple: they've got a five-year life. Nobody wants to buy them and store them because three years from now they're not going to be worth as much as they are today. So there is no massive supply of MREs, of freeze-dried food. And if somebody tells you "New York State has 20 million MREs"--wow, okay, what are you going to do on day three?

It sounded as if the Mormons are better prepared.

Only because they've been preparing for 200 years.

That seems like something that could be emulated, but the vast scale of this country is always a bit intimidating to think about.

It is. I don't make many suggestions, but that's why I raise the issue of the TSA. If someone had said, back in the year 2000, we're going to spend $100 billion over the next 15 years putting uniformed people at airports to make sure that nobody brings stuff on planes, everyone would have said you're crazy. I'm not minimizing what happened on 9/11. But we so overreacted to that that now we have spent $100 billion trying to protect against that kind of thing happening again.

If we spend $100 billion over the next 10 years on creating regional warehouses full of freeze-dried food, so that no matter what the disaster--natural disaster, defense disaster, cyber disaster--there would be food enough for tens of millions of people for a period of months. And if, in addition to that, you managed to find a way that local police forces and fire departments could begin the process of getting to know their communities and having their communities know them a little better by creating neighborhood groups. Wouldn't that be a better way of spending time and money? And infinitely adaptable to any crisis.

It seems that there should be some political will for this.

Politicians respond to what they see as public demand. If the public wants them to spend $100 billion on people in blue uniforms at the airport, there they'll be. Forever. --Sara Catterall